Re: The Kernal Is A Huge Security Whole In Windows
From: Miha Pihler (miha-news_at_atlantis.si)
Date: 07/17/04
- Next message: Steven L Umbach: "Re: I need to download widows installer"
- Previous message: Matt: "size of used capacity is larger than expect: means virus in my machine?"
- In reply to: CHANGE USERNAME TO westes: "Re: The Kernal Is A Huge Security Whole In Windows"
- Next in thread: Karl Levinson [x y] mvp: "Re: The Kernal Is A Huge Security Whole In Windows"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 17 Jul 2004 19:03:06 +0200
I see you haven't looked at this posted in one of my previous posts.
Description of the Windows File Protection Feature
http://support.microsoft.com/default.aspx?scid=kb;EN-US;222193
In this article it is explained:
If WFP finds the file in the cache folder or if the installation source is
automatically located, WFP silently replaces the file. If WFP cannot
automatically find the file in any of these locations, you receive one of
the following messages, where file_name is the name of the file that was
replaced and product is the Windows product you are using:
Windows File Protection
Files that are required for Windows to run properly have been replaced by
unrecognized versions. To maintain system stability, Windows must restore
the original versions of these files. Insert your product CD-ROM now.
This means that if the virus is to replace a system file in e.g.
%systemroot%\system32 folder AND in %systemroot%\system32\dllcache folder at
the same time, operating system will demand from you to insert a CD with
original installation and replaced files are copied from there. Yes, if you
inserted a CD that doesn't have SP4 applied to it you will have to apply SP4
manually... You can then also use MBSA to scan for any other critical
patches that need to be applied... MBSA actually looks for version of .dll
file that must exist on system - it doesn't look only for existing registry
keys.
Mike
"CHANGE USERNAME TO westes" <DELETE_westes@earthbroadcast.com> wrote in
message news:ukvKpS1aEHA.3988@tk2msftngp13.phx.gbl...
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:uWH51PuaEHA.3356@tk2msftngp13.phx.gbl...
> > Between SFC and use of signed driver requirements you
> > can start to feel you have tightened the type of exploit path
> > you have been outlining.
>
> By the way, I'm still not clear on this: when I enable SFC, it seems to
> want to populate the dllcache with files from the original CD. How can
it
> rely on these when the system may already be running a very late SP with
> lots of minor patches as well? Does Windows Update automatically keep
> the dllcache up to date?
>
> Wouldn't a virus defeat this just by writing itself to both the cache and
> system32 directories?
>
>
> > But think about it. Some driver is say causing issues - like your
> > 100% cpu use. If blind, prefabricated statistics were shown of
> > the different kernel "parts", you might see that driver getting very
> > small %age of cpu, but some valid and errorfree part of kernel
> > consuming high amount of cycles - not because it is in error but
> > because it is being driven by something that is in error. With
> > debugger you see the call stack and what is driving what how.
>
> That's obviously an excellent point. So it suggests to me that a
> diagnostic tool for the kernel, if it is to be used by relatively junior
> system administrators, must have the ability to show who are the primary
> users of different shared components. It must be possible for Microsoft
> to do this, but first they have to believe there is a requirement for it
in
> the first place.
>
> It's depressing to me that someone in our company won't be able to do
their
> job for a week, while their whole user environment is reconstructed from
> scratch, because we cannot do any diagnosis on what is wrong with their
> system.
>
> --
> Will
> westes AT earthbroadcast.com
>
>
- Next message: Steven L Umbach: "Re: I need to download widows installer"
- Previous message: Matt: "size of used capacity is larger than expect: means virus in my machine?"
- In reply to: CHANGE USERNAME TO westes: "Re: The Kernal Is A Huge Security Whole In Windows"
- Next in thread: Karl Levinson [x y] mvp: "Re: The Kernal Is A Huge Security Whole In Windows"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
